Home / server / Questions / 866235
In Process
jmazaredo
Asked: 2017-08-02 01:06:29 +0800 CST

Postfix sending spam from unknown user

  • 772

I have a Postfix mail server.

The problem is it is sending spam. The logs showed the following:

538ED2BF7F2: client=unknown[103.214.xxx.xx]
538ED2BF7F2: message-id=<>
538ED2BF7F2: from=<[email protected]>, size=786, nrcpt=1 (queue active)
538ED2BF7F2: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[74.125.204.27]:25, delay=4, delays=2.1/0.02/0.8/1, dsn=2.0.0, status=sent (250 2.0.0 OK 1501439317 91si6880315ply.391 - gsmtp)
538ED2BF7F2: removed

I have a wrapper for PHP & Apache and checked whether it was from a form or script on a website, but it wasn't: it was not being logged. And I checked HTTP logs for possible logins/post from the specific IP address, but nothing comes up.

Also I changed the password. The server is not open relay.

Any other ideas?

UPDATED XXX_Reject

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination check_sender_access hash:/etc/postfix/sender_access reject_rbl_client zen.spamhaus.org reject_rbl_client bl.spamcop.net reject_rbl_client cbl.abuseat.org permit
smtpd_sender_restrictions =
        permit_mynetworks,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        permit

smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination  reject_rbl_client zen.spamhaus.org reject_unknown_reverse_client_hostname permit
linux

1 Answers

  1. Are you sure your server isn't an open relay?

    For a start the restrictions should be comma separated, which is probably the main problem.

    Also I generally prefer to end with an explicit reject rather than permit. Anything that doesn't happen to match a deny rule is going to end up permitted. (Your reject_unauth_destination should stop any mail to domains you don't specifically allow relay to, but still it's better to just reject by default)

    Edit to extend answer: Based on the logs, the client is connecting remotely and sending an email from the mydomain.com domain to gmail.com successfully, so once you've sorted out the format of the restrictions you just need to identify why it's getting a permit action.

    I personally would go with a configuration similar to the following. Note that I don't know your full environment or configuration so I provide no guarantee that you can just use this without modification or full testing (as I haven't tested it at all either). It's entirely possible something else in your config is broken and causing the original issue

    smtpd_relay_restrictions =
    permit_mynetworks, # allow from mynetworks
    permit_sasl_authenticated, # allow authed users
    check_client_access hash:$config_directory/access, # any additional IP addresses
    reject # no other relaying

smtpd_sender_restrictions =
    permit_mynetworks, # allow anything from mynetworks..
    reject_non_fqdn_sender, # ..otherwise reject bad sender address and
    reject_unknown_sender_domain # reject invalid sender domain

smtpd_client_restrictions = 
    permit_mynetworks, # allow anything from local systems
    reject_unknown_reverse_client_hostname, # check client rdns
    reject_rbl_client zen.spamhaus.org, # reject anything on blacklists
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client cbl.abuseat.org
    • 2